Security advisories for old versions of Firefox

Dan Veditz has updated the Mozilla Foundation Security Advisories page with information about holes that were fixed for Firefox 1.0, Thunderbird 0.9 and 1.0, and Mozilla 1.7.5.

None of the holes were arbitrary-code-execution holes, which surprised me. The worst hole fixed for Firefox 1.0 was the javascript: Live Bookmarks hole, which required some user cooperation and allowed attackers to steal cookies and sometimes execute arbitrary code. In contrast, many previous Mozilla and Firefox releases included new fixes for memory management holes such as buffer overflows. Exploits for memory management holes are harder to write, but they allow attackers to execute arbitrary code without getting any cooperation from users.

10 Responses to “Security advisories for old versions of Firefox”

  1. Abdulkadir Topal Says:

    Why is that? Do you know more then we?

  2. Jesse Ruderman Says:

    Many arbitrary-code-execution holes had been fixed between 1.6 and 1.7.3, as you can see on that page. Several releases included multiple fixes. Assuming a constant rate of hole reports and fixes, it seemed likely that an arbitrary-code-execution hole would be discovered in any given two-month period, such as the period between 1.0PR and 1.0.

  3. Jan! Says:

    The Live Bookmarks javascript: vulnerability could potentially lead to chrome privileges and therefore arbitrary code execution. Or did I misunderstand that?

  4. Brant Gurganus Says:

    The less-than sign in your heading is causing the RSS 2.0 feed from to be invalid. It should be syndicated as < instead of the symbol itself.

  5. Jesse Ruderman Says:

    I’m pretty sure that’s Planet’s fault. My RSS feed is valid.

  6. Jesse Ruderman Says:

    Oops, I meant “my RSS feed is well-formed XML”. I don’t know whether it’s valid.

  7. Jesse Ruderman Says:

    Jan, you’re right. The Live Bookmarks javascript: vulnerability requires some user cooperation, but now that I think about it, it isn’t hard to convince some users to add an RSS feed, and those users tend to be advanced users.

  8. Jesse Ruderman Says:

    Since tor didn’t jump up to fix the bug in Planet, I removed the < from the title of this post. I hope the bug in Planet eventually gets fixed because it is likely to cause similar problems again and because it could be a security hole.

  9. byron Says:

    fyi i reported the planet issue list time it broke.

  10. michaell Says:

    “Since tor didn’t jump up to fix the bug in Planet”

    Has anyone hassled him about it? This is the third time I’ve seen it broken recently – it got broken twice by different blogs covering the Blake Ross Q&A.

    As for the security issue, I guess it’d only be Mozilla bloggers that could exploit it, and one would hope that they could be trusted :)